There is no legal solution to malware

In response to my recent article, Why do people write viruses?, I have run across proposals for legal solutions to the problem of self-propagating mobile malicious code and other malware. The proposals involve such solutions as mandatory prison sentences, corporal punishment (e.g., public caning), and even capital punishment (i.e., public execution). One suggestion involved a month's incarceration — without access to a computer, of course — per discrete infection, sentences running consecutively, potentially leading to several lifetimes' worth of incarceration for particularly successful viruses.

There are a number of problems with such solutions, however.

First, many virus writers would be effectively immune to these legal penalties by simple virtue of the fact that they live outside your jurisdiction. Taking victims in the United States as an example, they might be affected by a virus created by a miscreant in the Russian Federation or Jordan, neither of which has an extradition treaty with the United States.

The problem of extradition treaties doesn't even come up until you figure out who committed the crime, though. How do you conduct a criminal investigation across international borders when you don't even have any physical evidence, and when the process of performing forensic analysis requires getting access to computers that belong to people who are citizens of another nation? Even for "friendly" nations, this can impose some significant roadblocks in your investigation. A successful conclusion to that kind of investigation would require the aid of computer forensic experts in the employ of other nations' law enforcement agencies, according to those other nations' laws. Since criminals do not need to physically visit other countries for the crime's trail to pass through them, when the crime is one of propagating computer viruses, it's easy to route the commission of the crime through nations that are least likely to be of aid to US law enforcement.

Now, let's consider the political matter of punishment. Many nations would not much like the idea of several centuries of imprisonment for a precocious sixteen year old who wrote a little bit of code in his free time. Even worse is the idea of corporal or capital punishment. Many nations that have extradition treaties with the United States refuse to turn over criminals to US law enforcement when their crimes are punishable by death under US law. If you apply corporal punishment (what some would call "torture") or capital punishment (some call that "murder") to the crime of writing viruses that cause significant harm, even many countries that have extradition treaties with the US will say "no" when you ask them to turn over the criminal for prosecution.

Finally, there's the "problem" of the laws in the US. Are you prepared to urge Congress to amend the Constitution to allow corporal punishment, or to imprison someone for ten thousand consecutive one-month sentences? There are prohibitions against "cruel and unusual punishment" in the federal government's founding document that the courts would likely rule prohibit exactly the sort of legal measures advocated.

Imposing more severe penalties is likely to provide only the weakest of deterrents, if they are any deterrent at all. Statistical studies tend to show that even capital punishment doesn't provide a statistically significant deterrent to the criminal population. In some cases, mandatory harsh penalties such as three-strikes laws actually increase the likelihood that a given criminal will commit more heinous crimes, such as killing potential witnesses to increase their chances of getting away with the robbery that started the whole mess. Similar effects of criminal penalties for malware writers are possible.

How would we count the number of infections in a manner that can be substantiated in court to impose a month's incarceration per infection? Does "innocent until proven guilty" no longer apply when we are counting up the number of incidents of infection? Should law enforcement be allowed to propagate its own self-replicating malware, whose only purpose is to spy on our computers to report back on the presence of other viruses? Should we rely entirely on voluntary reporting from people whose apathy will prevent them from caring enough to fill out the necessary paperwork and testify in court?

Would you really want a string of ten thousand witnesses for the prosecution coming to court, anyway? The first case brought to trial could grind not just the court system but the whole country to a halt, if we need to bring in that many witnesses.

The most important goal of any system of jurisprudence should always be the protection of the would-be victim. Where someone demonstrates that he or she is not only capable of violating others' rights, but eager to do so, that person should definitely be prevented from doing so in the future. Incarceration should be regarded as a preventative measure, employed in cases of people who have made it clear that they intend to violate the rights of others by already taking action to violate others' rights. That, alone, will not solve the problem of malware, though. The only real deterrent for such acts that is likely to work is to make the very attempt pointless.

If the malware never achieves any success at all, nobody will ever bother writing any. In this case, the technical solution is the only effective solution. The way to defeat malware writers, and to get them to stop doing what they do, is to take steps to eliminate our vulnerability to their malware — not to try to execute all the malware writers in the world. When the vulnerability does not exist in any reasonably exploitable form, indiscriminately propagating malware will no longer be written, just because there's no point in writing code that doesn't do anything.

There are ways to eliminate our vulnerability to malware, believe it or not, but that's a subject for another article.